DRAFT CHEAT SHEET - WORK IN PROGRESS

Introduction

This article is focused on providing clear, simple, actionable guidance for providing Access Control security in your applications.

What is Access Control / Authorization?

Authorization is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication - as these terms and their defininitions are frequently confused.

Access Control is the method or mechanism of authorization to enfore that requests to a system resource or functionality should be granted.

Role Based Access Control (RBAC) is commonly used to manage permissions within an application. Permissions are assigned to users in a many to many relationship.

Discretioinary Access Control (DAC) is commonly used to manage permissions within an operating system.

Mandatory Access Control (MAC) is a classification based system of objects and subjects. To "write up", a subject's clearance level must be dominated by the object being written to the system. To "read down", a subject's clearance level must govern the security level of the object being read. In this system, a subject may be able to write to an object, but will never be able to read it. This prevents malicious software from being able to leak data from different classification levels. "Write up" prevents leakage from high to low.
(See the Orange Book for more information about classification levels and confidentiality controls in "DAC" and "MAC".)